System and method for securing personal data elements

ABSTRACT

A system and method may obtain a connection profile, the connection profile including at least one rule related to at least one PII data element; associate the connection profile with a network connection; receive a data unit transmitted over the network connection, the data unit including at least a portion of the PII data element; and, based on the rule, perform at least one of: blocking transmission of the data unit, modifying the data unit, forwarding at least a portion of the data unit to a selected destination, storing the data unit, storing metadata related to the data unit, and reporting an event related to the data unit. A system and method may associate the connection profile with a set of connection. A system and method may automatically modify a set of connection profiles based on an event.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/987,793, filed on Jan. 5, 2016. The contents of the aboveapplications are all hereby expressly incorporated by reference, intheir entirety.

FIELD OF THE INVENTION

The present invention relates generally to securing data elements. Morespecifically, the present invention relates to securing data elementsrelated to personal or private information.

BACKGROUND OF THE INVENTION

Systems and methods for protecting or securing data are known in theart. For example, a firewall may prevent access into a private orprotected network based on port filtering. Other systems use accesspermissions in order to restrict access to files or folders in a storagesystem.

SUMMARY OF THE INVENTION

In some embodiments, a connection profile including at least one rulerelated to at least one personally identifiable information (PII) dataelement may be created and may be associated with a network connection.A data unit including at least a portion of the PII data element may bereceived. Based on a rule, at least one of: blocking transmission of thedata unit, modifying the data unit, forwarding at least a portion of thedata unit to a selected destination, storing the data unit, storingmetadata related to the data unit, and reporting an event related to thedata unit may be performed.

In some embodiments, a system and method may associate a connectionprofile with a set of connections. A set of connection profiles may beautomatically modified based on an event. A map of flows of dataelements may be graphically presented to a user. A data element may beassociated with a token and an action may be performed based on a tokenidentified in a data unit. A data element in a data unit may be modifiedbased on a connection profile.

A user profile that includes at least one rule related to at least onedata element may be obtained and the user profile may be associated witha set of network connections. A data unit transmitted over one of thenetwork connections and including a data element related to the user maybe intercepted, and, based on a rule, at least one of: blockingtransmission of the data unit, modifying the data unit, forwarding atleast a portion of the data unit to a selected destination, storing thedata unit, storing metadata related to the data unit, and reporting anevent related to the data unit may be performed.

Metadata related to transaction, of at least a portion a PII dataelement, from a protected system to an external system, may be stored,and a flow of PII data elements between the protected system and anexternal system may be presented based on stored metadata. An embodimentof the invention may present, to a user, PII data elements obtained byan external system, may receive from the user indication of restrictedPII data element, and may prevent the restricted PII element from beingtransferred to the external system. An embodiment of the invention maystore metadata related to a transaction, from a first external system toa second external system, of at least a portion a PII data element, andpresent to a user a flow of PII data across a plurality of externalsystems.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter regarded as the invention is particularly pointed outand distinctly claimed in the concluding portion of the specification.The invention, however, both as to organization and method of operation,together with objects, features and advantages thereof, may best beunderstood by reference to the following detailed description when readwith the accompanied drawings. Embodiments of the invention areillustrated by way of example and not limitation in the figures of theaccompanying drawings, in which like reference numerals indicatecorresponding, analogous or similar elements, and in which:

FIG. 1 shows high level block diagram of an exemplary computing deviceaccording to illustrative embodiments of the present invention;

FIG. 2 is an overview of a system according to illustrative embodimentsof the present invention; and

FIG. 3 shows a flowchart of a method according to illustrativeembodiments of the present invention.

It will be appreciated that for simplicity and clarity of illustration,elements shown in the figures have not necessarily been drawn accuratelyor to scale. For example, the dimensions of some of the elements may beexaggerated relative to other elements for clarity, or several physicalcomponents may be included in one functional block or element. Further,where considered appropriate, reference numerals may be repeated amongthe figures to indicate corresponding or analogous elements.

DETAILED DESCRIPTION OF THE INVENTION

In the following detailed description, numerous specific details are setforth in order to provide a thorough understanding of the invention.However, it will be understood by those skilled in the art that thepresent invention may be practiced without these specific details. Inother instances, well-known methods, procedures, and components,modules, units and/or circuits have not been described in detail so asnot to obscure the invention. Some features or elements described withrespect to one embodiment may be combined with features or elementsdescribed with respect to other embodiments. For the sake of clarity,discussion of same or similar features or elements may not be repeated.

Although embodiments of the invention are not limited in this regard,discussions utilizing terms such as, for example, “processing,”“computing,” “calculating,” “determining,” “establishing”, “analyzing”,“checking”, or the like, may refer to operation(s) and/or process(es) ofa computer, a computing platform, a computing system, or otherelectronic computing device, that manipulates and/or transforms datarepresented as physical (e.g., electronic) quantities within thecomputer's registers and/or memories into other data similarlyrepresented as physical quantities within the computer's registersand/or memories or other information storage medium that may storeinstructions to perform operations and/or processes. Althoughembodiments of the invention are not limited in this regard, the terms“plurality” and “a plurality” as used herein may include, for example,“multiple” or “two or more”. The terms “plurality” or “a plurality” maybe used throughout the specification to describe two or more components,devices, elements, units, parameters, or the like. The term set whenused herein may include one or more items. Unless explicitly stated, themethod embodiments described herein are not constrained to a particularorder or sequence. Additionally, some of the described methodembodiments or elements thereof can occur or be performedsimultaneously, at the same point in time, or concurrently.

Reference is made to FIG. 1, showing a high level block diagram of anexemplary computing device according to some embodiments of the presentinvention. Computing device 100 may include a controller 105 that maybe, for example, a central processing unit processor (CPU), a chip orany suitable computing or computational device, an operating system 115,a memory 120, an executable code 125, a storage system 130, inputdevices 135 and output devices 140. Controller 105 may be configured tocarry out methods described herein, and/or to execute or act as thevarious modules, units, etc. More than one computing device 100 may beincluded, and one or more computing devices 100 may act as the variouscomponents, for example, security enforcement unit (SEU) 220 and SEU 230shown in FIG. 2 and described herein may be, or may include, componentsof computing device 100 such as controller 105 and memory 120.

For example, by executing executable code 125 stored in memory 120,controller 105 may be configured to carry out a method of securing dataelements as described herein. For example, controller 105 may beconfigured to associate a connection profile with a network connectionand, based on a rule in the connection profile, block or modify apersonally identifiable information (PII) data element transmitted overthe network connection.

A network connection as referred to herein may be any network connectionor link as known in the art. For example, a network connection may be,or may be defined by, one or more internet protocol (IP) addresses andports or a set of transmission control protocol (TCP) ports and thelike. A network connection may be, or may include, a physicalconnection, e.g., a wire. A network connection may be a wirelessconnection as known in the art. Receiving or obtaining data transmittedover a network connection may be done using systems and methods known inthe art. For example, using a network sniffer known in the art, SEU 220may capture, intercept or otherwise obtain and store, any datatransmitted over network connection 224.

Operating system 115 may be or may include any code segment (e.g., onesimilar to executable code 125 described herein) designed and/orconfigured to perform tasks involving coordination, scheduling,arbitration, supervising, controlling or otherwise managing operation ofcomputing device 100, for example, scheduling execution of softwareprograms or enabling software programs or other modules or units tocommunicate. Operating system 115 may be a commercial operating system.

Memory 120 may be or may include, for example, a Random Access Memory(RAM), a read only memory (ROM), a Dynamic RAM (DRAM), a SynchronousDRAM (SD-RAM), a double data rate (DDR) memory chip, a Flash memory, avolatile memory, a non-volatile memory, a cache memory, a buffer, ashort term memory unit, a long term memory unit, or other suitablememory units or storage units. Memory 120 may be or may include aplurality of, possibly different memory units. Embodiments of theinvention may include a non-transitory computer-readable storage mediumhaving stored thereon instructions which when executed by a processorcause the processor to carry out methods as described herein. Forexample, memory 120 may be a computer or processor non-transitoryreadable medium, or a computer non-transitory storage medium, e.g., aRAM.

Executable code 125 may be any executable code, e.g., an application, aprogram, a process, task or script. Executable code 125 may be executedby controller 105 possibly under control of operating system 115. Forexample, executable code 125 may be an application that enforcessecurity measures related to personal or private data elements asfurther described herein. Although, for the sake of clarity, a singleitem of executable code 125 is shown in FIG. 1, a system according tosome embodiments of the invention may include a plurality of executablecode segments similar to executable code 125 that may be loaded intomemory 120 and cause controller 105 to carry out methods describedherein. For example, units or modules described herein (e.g., securityenforcement units 220 and 230 shown in FIG. 2 and described herein) maybe, or may include, controller 105, memory 120 and executable code 125.

Storage system 130 may be or may include, for example, a hard diskdrive, a floppy disk drive, a Compact Disk (CD) drive, a CD-Recordable(CD-R) drive, a Blu-ray disk (BD), a universal serial bus (USB) deviceor other suitable removable and/or fixed storage unit. Content may bestored in storage system 130 and may be loaded from storage system 130into memory 120 where it may be processed by controller 105. In someembodiments, some of the components shown in FIG. 1 may be omitted. Forexample, memory 120 may be a non-volatile memory having the storagecapacity of storage system 130. Accordingly, although shown as aseparate component, storage system 130 may be embedded or included inmemory 120.

Input devices 135 may be or may include a mouse, a keyboard, a touchscreen or pad or any suitable input device. It will be recognized thatany suitable number of input devices may be operatively connected tocomputing device 100 as shown by block 135. Output devices 140 mayinclude one or more displays or monitors, speakers and/or any othersuitable output devices. It will be recognized that any suitable numberof output devices may be operatively connected to computing device 100as shown by block 140. Any applicable input/output (I/O) devices may beconnected to computing device 100 as shown by blocks 135 and 140. Forexample, a wired or wireless network interface card (NIC), a printer, auniversal serial bus (USB) device or external hard drive may be includedin input devices 135 and/or output devices 140.

A system according to some embodiments of the invention may includecomponents such as, but not limited to, a plurality of centralprocessing units (CPU) or any other suitable multi-purpose or specificprocessors or controllers (e.g., controllers similar to controller 105),a plurality of input units, a plurality of output units, a plurality ofmemory units, and a plurality of storage units. A system mayadditionally include other suitable hardware components and/or softwarecomponents. In some embodiments, a system may include or may be, forexample, a personal computer, a desktop computer, a laptop computer, aworkstation, a server computer, a network device, or any other suitablecomputing device. For example, a system as described herein may includeone or more devices such as computing device 100.

Reference is made to FIG. 2, an overview of a system 200 according tosome embodiments of the present invention. As shown, a system 200 mayinclude SEU 220 and SEU 230. As further shown, a system may include userprofiles 240. As shown, an external system 226 may be connected to aprotected system 210 over a network connection 224. Similarly, and asshown, external system 236 may be connected to protected system 210 overa network connection 234. As illustrated by dashed line 280, externalsystems 226 and 236 may be external to protected system 210. Forexample, protected system 210 may be a system inside an organization(e.g., a server connected to an intranet of an organization) andconnections 224 and 234 may connect the organization to the internet orthe outside world. Although SEU's 220 and 230, connections profiles 222and 232 and user profiles 240 are shown in the internal side, otherconfigurations may be contemplated. For example, SEU 220 may be placedon a border between an internal network and the internet, e.g., the waygateways are installed as known in the art. As described herein, thedefinition of an internal and/or external system may be based on a userinput, for example, by configuring SEU 230 to control transmission ofPII data elements from a first system to a second system, a user maydefine the first system as an internal one and the second system as anexternal system, e.g., the second system may be treated by an embodimentof the invention as external to the first system.

Generally, an external system as referred to herein may be any system(e.g., server) that is connected to a protected system via a networkthat is not controlled by the owner or operator of the protected system.For example, an internal or protected system (e.g., system 210) may be aset of servers of, or owned or controlled by, a medical institution(e.g., a hospital or a medical center) and an external system (e.g.,external system 226) may be a set of servers owned or operated by abank. Some information may be exchanged between a protected and externalsystem, for example, in order to facilitate payment for medical servicesprovided by a medical center that operates protected system 210,communication with an external system 236 that is operated by a bank maybe required. As described herein, a system and method according to someembodiments of the invention may monitor and control the sharing of PIIdata between an internal or protected system (e.g., a computing systemof a hospital) and a system that is external to the protected system(e.g., a system operated by a bank, a government etc.). A definition ofwhat is a protected system and/or what a protected system includes maybe received from a user. For example, a user may define the networkconnections to be monitored and controlled as described such that anyset of servers or any system is protected. Similarly, an external systemmay be user defined. For example, by configuring a system to monitor andcontrol network connections 224 and 234 as described and assuming theseare the only connections between protected system 210 and externalsystems 226 and 236, a user may define systems 226 and 236 as externalsystems and system 210 as a protected system.

As further shown, connection profile 222 may be associated (e.g., by ESU220) with connection 224 and, similarly, profile 232 may be associated(e.g., by SEU 230) with connection 234. For the sake of clarity andsimplicity, only two external systems and their respective connectionsare shown. However, it will be understood that a system according tosome embodiments of the invention may include, or be connected to, anynumber of external systems. Accordingly, any number of connectionsbetween a protected system 210 and any number of external systems may besupported by a system and method according to some embodiments of theinvention. As shown, a protected system 210 may include PII dataelements 211 and 212. Although two separate SEU's (220 and 230) areshown, other configurations may be possible. For example, a single SEUmay be connected to, or may access, a plurality of connections profiles(e.g., connection profiles 222 and 232) and the single SEU may enforcesecurity measures on a plurality of connections to a plurality ofexternal systems.

Protected system 210 may be any application or storage system thatstores or includes personal, sensitive or private data. For example,protected system 210 may be, or may include components of, computingdevice 100, e.g., protected system 210 may be a server and storagesystem inside an organization's network. For example, protected system210 may be owned and managed by a medical center and, accordingly,private and sensitive information may be stored, e.g., as shown by PIIdata elements 211 and 212, in a disk included in protected system 210.

PII data elements 211 and 212 may be PII data elements as known in theart, e.g., PII data elements 211 and 212 may include for example a name,address, medical information, phone number, electronic mail (email)address, financial data and the like. Personal data elements, e.g., asshown by PII data elements 211 and 212, may be, or may be included inany suitable object or structure, e.g., a file, an entry or record in adatabase and so on.

SEU 220 may be any unit or module adapted to monitor data transmittedover network connection 224. SEU 220 may be any unit or module adaptedto identify data elements transmitted over network connection 224. Forexample, using (or including) a network sniffer as known in the art, SEU220 may identify or determine that data elements such as PII dataelements 211 or 212, or portion of data elements, are being sent overnetwork connection 224.

SEU 220 may be any unit or module adapted to block transmission of adata unit or data element on network connection 224, or modify a dataunit transmitted on network connection 224.

A data unit as referred to herein may be any suitable data object. Forexample, a data unit may be a network packet or message as known in theart or a data unit may be a record in a database, e.g., a customerrecord that includes data elements such as name, home address, age etc.It will be understood that systems and methods according to someembodiments of the invention may identify, detect and process dataelements included in any object, block of data, or data unit.Accordingly, some embodiments of the invention may receive, intercept orotherwise obtain, a data unit transmitted over a network connection, thedata unit including at least a portion of the PII data element, mayextract data elements or portions thereof from the data unit, andperform operations related to management of sharing of data elements asdescribed herein.

As further described herein, SEU 220 may forward at least a portion of adata unit to a selected destination or it may store the data unit and/ormetadata related to the data unit (e.g., record or log an event asdescribed herein). SEU 220 may report, log or record an event related tothe data unit, e.g., alert an administrator when detecting thatsensitive data is being accessed by an external system. SEU 230 may besimilar to SEU 220.

Connection profile 222 may be any digital object, e.g., a file stored ina storage system accessible to SEU 220 or a memory segment. For example,connection profile 222 may be stored in storage system 130 or in memory120 and controller 105 may thus be enabled to use connection profile 222as described herein. User profiles 240 may be a set or plurality of userprofiles that include rules, criteria or other data related to users.For example, a user profile may indicate that specific data elements ofthe user may not be transmitted to, or shared with, a specific one ormore external system. For example, a first user profile may indicatethat an email of the user may be sent to, or shared with, externalsystem 226 but that the email must not be sent to, or shared withexternal system 236. In other cases, a user profile may forbid sharing adata element with any external system. In yet other cases, a userprofile may include an indication, for specific data elements orportions of a data elements stored in protected system 210, whether ornot they may be shared with external systems. For example, a userprofile may indicate that the user's name may be freely shared withexternal systems, but the user's home address may not be shared withexternal systems.

External systems 226 and 236 may be servers or computer applications.For example, external system 226 may be a server and/or application ofan organization that provides services to the owner of protected system210. Accordingly, data may be exchanged between protected system 210 andexternal systems 226 and 236. As described, some of the data flowbetween protected system 210 and external system 226 may be allowed orenabled and some data flow may be blocked or prevented. For example,based on a connection profile associated with a connection (e.g.,connection profile 222 may be associated with connection 224), some ofthe data sent from protected system 210 over network connection 224 maybe blocked, modified, reported and so on. Association of a connectionprofile with a network connection may be, or may include, configuring anSEU to use the associated connection profile when monitoring orenforcing security on a network connection. For example, associatingnetwork connection 224 with connection profile 222 may include providingconnection profile 222 to SEU 220 and/or configuring SEU 220 to userules and other data in connection profile 222 in order to enforcesecurity on network connection 224.

Accordingly, a system and computer-implemented method according to someembodiments of the invention may obtain a connection profile, theconnection profile including at least one rule related to at least onepersonally PII data element.

In some embodiments, a connection profile may be defined and/or createdbased on input from a user. A connection profile may include one or morerules related one or more personally identifiable information (PII) dataelements. For example, a user may want to allow customer names stored inprotected system 210 to be shared with external system 226 but preventsharing of email addresses of the customers. In such exemplary case,connection profile 222 may be created or updated such that a dataelement including a name is allowed to be forwarded to external system226 but a data element that includes an email is blocked or deleted.

For example, a connection profile may include the information as shownin Table 1 below:

TABLE 1 Modify/ USER ACCESS Data element Block Log Delete Alert ID IDForward Email address No Yes No No Token-A Token-C Name Yes No No YesToken-B * 32.182.61.23 Home address No Yes Yes No * *

As described, a connection profile may include rules related topersonally identifiable information (PII) data elements. For example,rules for data elements are shown in Table 1 and further describedherein. For example, if connection profile 222 includes the informationshown in Table 1 and is further associated with network connection 225,then using it as shown in FIG. 1, SEU 220 may allow an email address tobe forwarded to external system 226 (this rule is reflected in the “No”under “Block” in Table 1) and SEU 220 may log or record that an emailaddress was forwarded. Since, in the example above, the alert and modifyactions for the email address data element are not set, SEU 220 mayavoid logging or recording the event. Using Table 1 as connectionprofile 222, SEU 220 may block a data element that includes a customer'sname and may further generate an alert if an attempt to send a name fromprotected system 210 to external system 226 over connection 224 isidentified or detected. For example, an alert may include a pop-upwindow on an administrator screen, sending a text message, sounding analarm using speakers of a computer, sending an email message and thelike. For example, blocking a data element or data unit may includediscarding the data element or unit without sending or forwarding it toits destination.

Using Table 1 as connection profile 222, SEU 220 may log or record anevent that includes sending a data element that includes a home addressof a user, customer or person. For example, logging or recording anevent may include storing (e.g., in storage system 130), the type ofdata element (e.g., home address), the time and date the data elementwas detected, the source and destination of the data unit that includesthe data element, a user or application that requested the data element,a user or application that sent the data element and/or any other dataor metadata related to a transaction of a data element. Recording orlogging an event may include storing, in a database, the entire dataunit or entire data element, e.g., as received or obtained.

Using Table 1 as connection profile 222, SEU 220 may modify or delete adata element or a portion thereof. For example, a home address may bemodified, for example, scrambled or otherwise encrypted, e.g., such thatusing a key, the home address can be reconstructed from an encryptedversion. In another case, the home address or another data element maybe replaced by content. For example, SEU 220 may replace a name, addressor other PII data element with text such as “content automaticallyremoved by a security unit”. A data element (e.g., home address whenusing Table 1 as a connection profile) may be deleted. For example, adata unit that includes a home address data element and additional dataelements may be intercepted by SEU 220, SEU 220 may delete or remove thehome address data element from the data unit and forward the data unit(that no longer includes the home address data element) to externalsystem 226.

A system and method according to some embodiments of invention mayperform an action related to sharing PII data elements based on the userrelated to the data (e.g., the user to whom a PII data element pertains)and/or based on the user or application who accesses (or attempts toaccess) the PII data elements. In some embodiments, any of: a PII dataelement; a user; and/or an application may be associated with a tokenand an action performed may be based on a token identified in the dataunit or other message sent over a network.

For example, as shown by Table 1, tokens may be used to identify usersand entities. Tokens used by some embodiments of the invention may be asknown in the art. Any system and method as known in the art may be usedin order to generate (possibly unique) tokens for users andapplications, insert tokens into messages and extracting tokens frommessages. For example, as known in the art, tokens are used to representcredit card numbers such that an actual card number needs not be storedand/or communicated over networks (thus increasing security). In asimilar way, tokens may be generated by a system, e.g., for users, andthe tokens may be included in messages that include PII data elements.For example, assuming that the token “13579” is associated with a usernamed “John Doe”, when PII data elements of John Doe are sent in amessage, the token “13579” may be included in the message. Similarly,when a request from a user or application is sent, e.g., to protectedsystem 210, a token that identifies the user or application may beinserted into the request. Accordingly, sharing of PII data elements maybe controlled based on the user to which the data belongs or pertainsand based on the user or application that requests the PII dataelements.

For example, the “USER ID” column in Table 1 may indicate, for eachentry in a connection profile, to which user the entry applies. Forexample, the rule for the email address data element in Table 1 may beapplicable to a user identified by token “Token-A”, the rule for thename data element may be applicable to a user identified by token“Token-B”, and the rule for the home address may be applicable to anyuser as indicated by the “*”. As described, rules may be related to theentity that accesses (or attempts to access) a data element. Forexample, and as shown, the rule for the email address in Table 1 may beapplicable to an entity associated with (or identified by) the token“Token-C”.

Accordingly, rules in a connection profile may be configured such thataccess to PII data element of specific user by a specific user orapplication is controlled. For example, using configurations as shown inTable 1, some embodiments of the invention may allow only one specificuser or application to access PII data of a specific user.

Logging or recording as described herein may include user identificationsuch that some embodiments of the invention may report operationsrelated to a specific user or a specific data element. For example, whenlogging accesses made to PII data elements as described, SEU 220 mayinclude user tokens in the log data. Accordingly, some embodiments ofthe invention may answer a question such as “who accessed data of JohnDoe?”, what are the specific PII data elements of John Doe that wereaccessed or shared in the past 24 hours?”, “What are the PII dataelements (of all users) accessed in the past week?” and so on.

It will be understood that Table 1 and the rules discussed above areexemplary and simplified rules and that a network connection profile mayinclude complex rules. For example, a rule may be related to a requestrelated to a PII data element, e.g., an action performed by an SEU maybe based on the request, e.g., who the source, requester, or requestor,for the data element. A rule in a connection profile may be related to amethod or system used for requesting or providing the data element(e.g., responses to batch requests may be blocked). A rule in aconnection profile may be related to a time or date, e.g., some dataelements may not be shared during specific times (e.g., after work oroffice hours). A rule in a connection profile may be related to afrequency of accessing a PII data element, e.g., data elements rarelyaccessed or requested may not be shared and data elements frequentlyshared may be allowed to be shared. A rule in a connection profile maybe related to the user or application requesting (or attempting toaccess) a data element. A rule in a connection profile may be related tothe storage system that stores or includes the data element, e.g., dataelement from a first server or database in an organization may be sharedwith an external system but data element in a second server or databasemay not be shared, e.g., they may be blocked as described. A rule in aconnection profile may be related to a flow. For example, data elementsrequested during a backup procedure or flow may be forwarded but blockedotherwise. A rule in a connection profile may be related to pattern,e.g., sharing of data elements related to, or requested in, a knownpattern that includes a sequence of predefined requests may be allowedor blocked based on a rule for the pattern.

Systems and methods according to some embodiments of the invention maycreate and/or update connection profiles, rules and policies based onuser input. For example, using a web browser, a user (e.g., anadministrator or privileged user) may access sensitive information,e.g., PII data elements 211 and 212 that may be displayed in the webbrowser. For example, an administrator may use a web browser in externalsystem 226. As described, PII data elements 211 and 212 may include asocial security number (SSN), phone number and email address and homeaddress of a user. Specific data elements may be marked or indicatedwhen presented to an administrator, e.g., during a setup orconfiguration phase. For example, SEU 220 or another unit may modifyinformation presented to the administrator, e.g., data elements orfields such as SSN, phone number, email and full address may behighlighted when shown to the administrator. For example, if an SSN isincluded in data sent to an administrator as described, the SSN may beautomatically highlighted by a system or method in order to draw theattention of the administrator to the fact that sensitive or privateinformation is being sent from a protected system.

During a configuration or a setup phase, sensitive data elements orfields (e.g., highlighted as described) may be clicked by anadministrator in order to indicate to a system and/or method accordingto some embodiments of the invention that a rule for a clicked on dataelement is to be created or updated. When a data element is clicked on,a screen may be opened by a configuration unit (e.g., one executed as aplug-in in the administrator web browser) and, using the screen, theadministrator may then configure rules for the data element. Forexample, the administrator may configure rules such as the rulesdescribed above withe reference to Table 1.

For example, for an SSN data element, the administrator may configure arule or policy for a specific connection (e.g., by indicating a sourceand destination network address, e.g., IP addresses). A configured ruleor policy may include an action, e.g., block the data element (e.g.,prevent the data element from being sent from a source address to adestination address), delete the data element or modify the data elementas described. As described, a rule or policy may be configured forspecific data elements, e.g., an administrator can set a rule thatblocks or prevents sending an email address and another rule thatmodifies a credit card number (e.g., deletes some of the numbers leavingonly a portion of the credit card number, or leaving only a city in afull address data element).

Data elements may be found in any file or object being sent from aprotected system to an external system. For example, excel files areknown in the art and are frequently used to communicate information.Some embodiments of the invention may examine content in excel or otherfiles, identify sensitive or private information in the files and applyrules or policies to the information as described herein.

Any logic may be used to create or update rules and policies. Forexample, rules and policies may be set according to the set ofquestions: who, how and why. For example, a rule for a data element maybe set based on who is accessing the data element (e.g., what user orwhat organization is accessing the data element), how (e.g., how is theuser accessing the data element, over a secured network?, over a socialnetwork?, from within a protected system? etc.) and why or what for thedata element is being accessed (e.g., for a backup?, for a monthlyreport etc.).

For example, a rule may include allowing a first user to access a dataelement but preventing a second user from accessing the data element. Arule may allow a data element to be accessed for backup but not fordownloading the data element to a private computer. A rule may allow adata element to be accessed over a first network but prevent accessingthe data element when accessed over a second network.

For example, an Excel™ spreadsheet or other spreadsheet file thatincludes a PII data element may be hosted at the “google docs” or othercloud or remote file storage service. When the Excel file is accessedusing a connection with, or from, a trusted party (e.g., a party knownto SEU 220 as trusted) then, using a rule (e.g., in connection 222) SEU220 may allow users' emails and first names to be sent to the trustedparty but block other PII data elements, e.g., block users' home addressfrom being sent to the trusted party over the connection.

SEU 220 may generate rules or policies based on machine learning. Forexample, during a learning phase, rules may be automatically created andstored in connection profile 222, by SEU 220. For example, based on PIIdata elements being shared during a learning phase, SEU 220 may createrules that allow sharing of the shared PII data elements.

A connection profile may be associated with and/or created and updatedfor, any type of connection. For example, a connection may be defined bya source address and a destination address (e.g., source and destinationIP addresses) or it may be a connection implemented by a specific systemor infrastructure (e.g., a wired connection). A connection may be anyconnection between two organizations, e.g., a connection as defined by asystem may include, or used for, all digital data communicated betweentwo organizations. For example, a system and method according to someembodiments of the invention may create, use, and update a connectionprofile for all the network connections that connect two organizationsor for all data communicated over a specific wired, physical connectionand/or for all data communicated or exchanged over a connection definedby IP addresses as known in the art.

As described, a connection profile may be created based on user input.In some embodiments, a network connection profile may be createdautomatically, e.g., by an SEU. For example, either continuously orduring a learning phase, SEU 220 may learn the of traffic over networkconnection 224, e.g., log or record which data elements are frequentlyshared with external system 226 and may use any statistical orheuristics in order to update or generate rules and policies inconnection profile 222. For example, SEU 220 may create a rule inconnection profile 222 that blocks data elements that are rarelyrequested.

By observing data, information and metadata related to rules asdescribed, an SEU (e.g., SEU 230) may store, create, modify or updateany of the rules described herein, in a connection profile. For example,SEU 220 may automatically update rules in a connection profile based onany of: a request related to a PII data element, a response related tothe PII data element, a source of a request related to the PII dataelement, a method or system used for accessing the PII data element, atime when the PII data element was accessed, a frequency of accessingthe PII data element, a user accessing the PII data element, anapplication accessing the PII data element, a storage system or locationof the PII data element, a flow that includes accessing the PII dataelement and a pattern related to accessing the PII data element. Forexample, SEU 230 may use any logic or heuristics as described herein inorder to create, store or update rules in a connection profile.

For example, SEU 220 may define, create or update a rule in connectionprofile 222 based on a flow that includes accessing the PII data elementor based on a pattern related to accessing a PII data element. Forexample, by monitoring and recording or logging access operationsrelated to a PII data element (e.g., during a learning stage), SEU 220may identify a flow that includes accessing, by a backup application, aset of PII data elements every day at the same time. For example, anautomated daily backup application may read specific PII data elementsevery day or once a week at 18:00, such pattern may be identified by SEU220 as legitimate and may therefore be allowed, e.g., SEU may allow thebackup application to access the PII data elements every day or once aweek at 18:00 but may forbid or prevent access to the PII data elementsat other times and/or by other applications. A flow or pattern mayinclude a sequence of accesses to a set of PII data elements. Forexample, during a learning stage, SEU 220 may identify that anapplication always accesses a first PII data element and then accesses asecond PII data element (e.g., a PII data element the includes anaddress of a user is always accessed or read after reading or accessinga PII data element that includes the user's name). Such pattern or flowmay be recorded by SEU 220 (e.g., in connection profile 222 or in userprofile 240) and the pattern or flow may be allowed or permitted by SEU220. For example, if an allowed, recognized or identified pattern orflow includes accessing an address of a user after accessing the name ofthe user as described then SEU 220 may allow such sequence of accessesbut, if an application attempts to access the address of the userwithout first accessing the user's name then SEU 220 may identify ordetermine that the access attempt is not according to a known orrecognized pattern or flow and may prevent the access attempt, e.g.,block a transmission of a PII data element that includes the user'saddress as described.

In some embodiments, SEU 220 may automatically modify a set ofconnection profiles based on an event. For example, ESU 230 may include,or be provided with, a set of event identifications, events classifiersor characteristics of events and logic, and may, based on an event,create a rule. For example, based on an attempt, made from externalsystem 236, to access a specific data element in protected system 210(e.g., access data element 112), possibly at a specific time of day, SEU230 may insert a new rule into connection profile 232 that preventssharing any data of a person who's personal data is included in thespecific data element.

Accordingly, a system and method according to some embodiments of theinvention may receive or obtain a data unit transmitted over a networkconnection, wherein the data unit including at least a portion of a PIIdata element and may, based on a rule, perform at least one of: blockingtransmission of the data unit; modifying the data unit, forwarding atleast a portion of the data unit to a selected destination, storing thedata unit, storing metadata related to the data unit, and reporting anevent related to the data unit. Rules may include tokens. Tokenizationof data elements is known in the art. For example, and as known in theart, credit card numbers are tokenized such that they are less exposedto exploitation. Data elements as described herein may be tokenized. Forexample, tokenizing may include associating user identities or dataelements with tokens, numbers or values, e.g., “home address”=17,“name”=32 and so on. For example, a user token may be used to encryptPII data elements of the user, accordingly, by obtaining user tokens,SEU 220 may decrypt PII data elements and process, or act based on, thedecrypted PII data elements as described. Some embodiments of theinvention may use tokens instead, or in addition to, other identifiersof data elements. For example, Table 1 may include, in the “Dataelement” column, a token value of the data element, tokens may bedetected or identified in data units transmitted over a managed networkconnection, and rules may be applied as described based on tokens.

Some embodiments of the invention may associate a connection profilewith a network connection. For example, and as described, connectionprofile 222 may be associated with network connection 224 and theassociation may include using connection profile 222, e.g., by SEU 220,in order to manage transactions of data elements over network connection224. A connection profile may be associated with, or used for managingtransactions over, any number or selected set of connections.

For example, connection profile 222 may be associated with some, or evenall, network connections of protected system 210 or connection profile222 may be associated with the set of network connections that connectprotected system 210 to external system 226. For example, a globalconnection profile may be used for a number of network connections. Asshown by connection profiles 222 and 232, different connections profilesmay be associated and used for, different network connection. Forexample, using network connection profile 232, SEU 230 may allow orenable customer names to be shared with, or sent, transmitted orforwarded to, external system 236. Accordingly, different data elementsmay be shared with different external systems using a plurality ofnetwork connection profiles.

A data element as referred to herein may include any data stored in astorage system, e.g., PPI data elements such as any person-specificdata, asset-specific data, personal data, contact information,demographic information, financial information, purchase information, anopinion, a field of interest, a driving license, a social securitynumber an image etc. A data element may include un-structured data asknown in the art. For example, SEU 230 may use any systems or methods(e.g., deep packet inspection as known in the art) in order to identify,detect and/or extract a data element form any un-structured datacommunicated over a network connection.

User profiles 240 may be similar to connection profiles 222 and 232. Forexample, user profiles 240 may include rules as described and SEU 220and SEU 230 may use rules in user profiles 240 as described withreference to connection profiles 222 and 232. User profiles 240 mayinclude user specific rules or rules related to specific users. Forexample, user profiles 240 may indicate that the email address of JohnDoe is not to be shared. Accordingly, even though connection profile 222allows sharing email addresses with external system 226 as in the aboveexample, SEU 220 may generally allow transmission of email addresses toexternal system 226, based on a user specific rule related to John Doe,SEU 220 may block transmission of the email address of John Doe.Otherwise described, rules in a first profile may cause overriding ofrules in another profile. User profiles 240 may be used for, orassociated with, a selected set of network connections, e.g., userprofiles 240 may be used to manage network traffic over networkconnection 224 but not used with respect to network connection 234. Insome embodiments, a user profiles 240 may be a global profile, e.g.,used for all network connections of a protected system thus enabling,using a single profile, to protect sensitive PII data from being sharedwith any entity or system.

Accordingly, some embodiments of the invention may obtain a user profilethat includes one or more rules, e.g., defined and/or created by a user,or automatically created as described herein with reference toconnection profiles. Some embodiments of the invention may associate auser profile with a set of network connections. For example, userprofiles 240 may be associated with one of network connections 224 and234 or with both of these connections. As described, associating a userprofile (e.g., a user profile in user profiles 240) may includeproviding the user profile to an SEU and configuring the SEU to userules in the profile when managing network traffic on the connection asdescribed. In general, SEU 220 may use a user profile in ways similar tothe way SEU 220 uses a network connection profile. For example, SEU 220may receive a data unit transmitted over a network connection, identifyor detect, in the data unit, a data element related to the user (e.g.,the name of the user). Based on a rule in a user profile, SEU 220 mayperform any of the operations described herein with respect to SEU 220,e.g., block transmission of the data unit or data element, modify thedata unit or data element, forward at least a portion of the data unitor data element to a selected destination, store the data unit or dataelement, store metadata related to the data unit or data element orreport an event related to the data unit or data element.

As described, SEU 220 and SEU 230 may store, save or record anyinformation related to sharing of PII data elements, e.g., any eventthat includes sending a PII data element from protected system 210 toone of external systems 226 and 236 may be recorded or logged. Asdescribed, logging or recording an event may include storing or savingthe actual PII data element sent or shared as well as metadata, e.g.,when the PII data element was shared, with whom, over what connectionand so on.

Any metadata related to a transaction, from a protected system to anexternal system may be logged. For example, metadata related to a PIIdata element and its transmission or sharing may be logged or stored.For example, such metadata may include information such as: when was thePII data element sent or shared, to which destination was it sent, whoaccessed the PII data element, what storage system was the PII dataelement retrieved from may be logged or recorded. Metadata may be forexample information not in the PII data element itself but describingthe PII data element.

Using logged and recorded data, some embodiments of the invention maypresent to a user a flow of PII data elements between a protected systemand an external system. For example, a dashboard application as known inthe art may graphically show which PII data element of which user wereshared between two systems, e.g., between protected system 210 andexternal system 226.

A dashboard may be used in order to configure rules. For example, insome embodiments, a flow may include presenting to a user data relatedto a PII data element obtained by an external system from a protectedsystem; receiving, from the user, an indication that the PII dataelement should not be shared (e.g., restricted); and preventing the PIIdata element from being transferred to the external system. For example,SEU 220 may show to an administrator PII data elements sent fromprotected system 210 and, based on input from the administrator, createa rule in connection profile 222. For example, a graphical userinterface (GUI) tool may show an administrator a list of PII dataelements sent from protected system 210 to external system 236, theadministrator may click on a PII data element in the list and use apull-down menu to set an action such as “Allow”, “Block” or set any ofthe options described herein, e.g., with reference to Table 1 above.Input from an administrator received as described above may be used tocreate or update a rule in a connection profile and/or in a userprofile. For example, if the administrator chose “Block” for a specificPII data element then a rule that causes SEU 220 to block or preventsharing of the PII data element may be created, by SEU 220, inconnection profile 222.

Metadata related to transaction of PII data elements, from a firstexternal system to a second external system may be stored or logged andmay be used as described herein. For example, SEU 220 may recordmetadata related to a flow of PII data elements from external system 226to external system 236. For example, a flow of data between externalsystem 226 and external system 236 may pass through SEU 220 and SEU 220may accordingly record metadata and data related to transaction of PIIdata elements between these two external systems as described herein.Accordingly, a flow of PII data elements across a plurality of externalsystems may be recorded, logged and presented to a user as describedherein.

Using data and information collected as described, a system and methodaccording to some embodiments of the invention may present to a user aflow of PII data elements between a protected system and externalsystems. For example, a dashboard application may be operativelyconnected to SEU 220, SEU 230 and/or a storage system where SEU 220 andSEU 230 store collected data and the dashboard application maygraphically present to a user any aspects of flow of PII data elementsbetween protected system 210 and external systems 226 and 236.

A system and method according to some embodiments of the invention mayreceive, from a user, an indication of a sensitive or private PII dataelement that is not be shared (or that is to be selectively shared) andmay prevent the indicated PII data element from being transferred to, orotherwise shared with, an external system. For example, a dashboardapplication may (e.g., graphically) present to a user a PII data elementthat was sent from protected system 210 to external systems 226 and theuser may click on the presented data element in order to indicate thatthis particular data element is not to be shared. For example, based onuser input (e.g., a click on a graphically presented data element)received via a dashboard or other graphical user interface (GUI) tool,SEU 220 may update connection profile 222 or user profiles 240, e.g.,update or create a rule therein.

Some embodiments of the invention improve a data flow in a system bymonitoring and operating on specific PII data elements. Some embodimentsof the invention improve a data flow in a system by monitoring andoperating on PII data elements of specific users as well as based on theuser or entity that accesses the PII data elements. For example,although systems known in the art, e.g., firewalls, may block specificports, these systems cannot block specific PII data elements asdescribed herein. By creating and maintaining specific computer datastructures (e.g., a set of rules in a connection profile as describedherein), some embodiments of the invention may monitor and managesharing of specific PII data elements with specific users, sites orapplications.

Accordingly, some embodiments of the invention address acomputer-centric or internet-centric challenge of monitoring, recordingand managing sharing of PII data elements. Using specific data objects(e.g., rules as exemplified by Table 1), some embodiments of theinvention may modify data (e.g., modify a PII data element as described)and produce new or modified data, e.g., a modified PII data element asdescribed.

Reference is made to FIG. 3 which shows a flowchart of a methodaccording to illustrative embodiments of the present invention. As shownby block 310, a connection profile that includes at least one rulerelated to at least one PII data element may be obtained and associatedwith a network connection. For example, connection profile 222 may becreated by a user and/or by SEU 220 as described and may be associatedwith network connection 224.

Some embodiments of the invention may associate a set or plurality ofnetwork connections with a connection profile. For example, protectedsystem 210 may be an internal system (e.g., inside or in anorganization's network) and all network connections between protectedsystem 210 and the outside world (e.g., the internet) may be associatedwith a global connection profile such that any PII data element sentfrom protected system 210 to a system that is outside the organizationis subjected to rules in the global connection profile. For example,protected system 210 may be a server connected to a network in anorganization (e.g., an intranet) and connections 224 and 234 may connectthe server (or the intranet) to the internet, or to a server of anotherorganization. As described, specific connection profiles may be used inaddition to a global connection profile or rule set. For example, afterapplying or performing actions based on a global connection profile, SEU230 may further apply rules in connection profile 232 that is associatedwith a specific network connection as described.

As described, rules in a connection profile may be automatically anddynamically changed by SEUs 220 and 230. In some embodiments, a set ofconnection profiles may all be modified based on an event or input froma user. For example, based on input from a user that indicates emailaddresses should not be shared, connection profile 222 and connectionprofile 232 may be automatically changed to include the new restriction(e.g., rules in connections profiles 222 and 232 may be created, asdescribed, to disable sharing of email address). In some embodiments, amanagement system or unit (not shown) may instruct SEU 220 and SEU 230to modify connection profiles 222 and 232 based on an event. Forexample, upon identifying in protected system 210, a virus known toidentify and use user names, a management system may modify (or instructSEUs 220 or 230 to modify), connection profiles 222 and 232 such thatuser names cannot be shared by protected system 210.

As shown by block 315, a data unit transmitted over the networkconnection and including at least a portion of the PII data element maybe received (e.g., by SEU 220 as described) and, based on a rule in theconnection profile, an action may be performed. For example, and asdescribed, SEU 220 may identify or discover a PII data element in amessage sent over network connection 224 and, based on a rule inconnection profile 222, perform one of: blocking transmission of thedata unit that includes the PII data element, modifying the data unit,forwarding at least a portion of the data unit to a selecteddestination, storing the data unit, storing metadata related to the dataunit, and reporting an event related to the data unit. For example,storing metadata may include logging which PII data element was accessedor shared, who accessed (or tried to access) the data element and so on.An action of reporting may include presenting to a user information suchas which PII data elements were shared, with whom, when and so on.

As shown by block 320, a data element in a data unit may be modifiedbased on a connection profile of data in a connection profile. Forexample, data elements, or portions thereof may be modified asdescribed. For example, a name of a user may be removed from, ormodified in, a data unit that includes a user name PII data element asdescribed. As shown by block 325, a flow of PII data elements may bepresented, e.g., a map of flows of PII data elements from or betweenprotected system 210, external system 226 and external system 236 may bepresented, e.g., graphically on a monitor or display screen.

In some embodiments, a method or flow may include monitoring andmanaging sharing of PII data elements based on a user profile. Forexample, a user profile that includes a rule related a specific user andto data elements may be configured by a user and may be associated witha set of connections. For example, user profile 240 may be associatedwith connection 224 and/or with network connection 234. A data unit thatincludes a PII data element pertaining to the user, and transmitted overone of the network connections associated with the user profile, may bereceived, (e.g., by SEU 230). Based on a rule in the user profile, SEU230 may perform an action, e.g., block transmission of the data unit,modify the data unit, forward at least a portion of the data unit to aselected destination, store the data unit, store metadata related to thedata unit, and report an event related to the data unit. It will beunderstood that any number of user profiles may be used. For example,user profiles 240 may include profiles and rules for thousands of usersand, accordingly, system 200 may apply different rules for differentusers. For example, based on rules in user profiles 240, system 200 mayenable sharing the first name of a first user and prevent sharing of thefirst name of a second user.

In some embodiments, a method of managing the sharing of PII dataelements may include associating a connection profile with a networkconnection, the network connection enabling sharing of PII data elementsbetween a protected system and an external system. For example, networkconnection 224 may enable, of be used for, sharing PII data elements 211and 212 between protected system 210 and external system 226 asdescribed. A method or flow may include intercepting transmission of aPII data element transmitted over the network connection. For example,SEU 220 may intercept a transmission of PII data element 211 fromprotected system 210 to external system 226. For example, communicationof data from protected system 210 to external system 226 may be via SEU220 as known in the art, e.g., SEU 220 may act as a gateway as known inthe art such that some or even all data sent from protected system 210to external system 226 must pass through, or be provided to, SEU 220prior to being sent to external system 226. Intercepting a transmissionof PII data element may include receiving the PII data element,analyzing the data element and deciding whether or not to forward thePII data element to its destination and/or deciding whether or not tomodify the data element prior to sending it to its destination. A methodor flow may include performing an action related to an intercepted PIIdata element. An action may be based on data in a connection profile.For example, data in a connection profile may include rules as describedand an action (e.g., forwarding or modifying a PII data element by SEU220) may be based on a rule in a connection profile.

For example, after intercepting, by SEU 230, a transmission of PII dataelement 212 from protected system 210 to external system 236, SEU 230may find one or more rules related to PII data element 212 and may blocka transmission of PII data element 212 to external system 236 (e.g.,drop the packets that include PII data element 212 as known in the art).SEU 230 may, based on data in connection profile 232, modify PII dataelement 212, forward PII data element 212 to a destination indicated inconnection profile 232, store PII data element 212, store metadatarelated to PII data element 212 (e.g., store information such as: whenPII data element 212 was intercepted, to which destination PII dataelement 212 was sent and so on). SEU 230 may report an event related toan interception of a transmission of PII data element 212, e.g., anyinformation stored, by SEU 230, in relation to PII data element 212 asdescribed may be reported, e.g., sent to a preconfigured email address,displayed on a monitor and so on.

Unless explicitly stated, the method embodiments described herein arenot constrained to a particular order in time or chronological sequence.Additionally, some of the described method elements may be skipped, orthey may be repeated, during a sequence of operations of a method.

While certain features of the invention have been illustrated anddescribed herein, many modifications, substitutions, changes, andequivalents may occur to those skilled in the art. It is, therefore, tobe understood that the appended claims are intended to cover all suchmodifications and changes as fall within the true spirit of theinvention.

Various embodiments have been presented. Each of these embodiments mayof course include features from other embodiments presented, andembodiments not specifically described may include various featuresdescribed herein.

1. A method of managing sharing of personally identifiable information(PII) data units, the method comprising: associating a policy with anetwork connection, the network connection enabling sharing of PII dataunits between a protected system and an external system; interceptingtransmission of a PII data unit transmitted over the network connection;and based on data in the policy, performing at least one action selectedfrom the group consisting of: blocking transmission of the data unit,modifying the data unit, forwarding at least a portion of the data unitto a selected destination, storing the data unit, storing metadatarelated to the data unit, and reporting an event related to the dataunit.
 2. The method of claim 1 comprising: obtaining a data unitincluding a set of PII data elements; and based on the policy, selectingto perform the at least one action for at least one PII data elementincluded in the data unit.
 3. The method of claim 1, comprising:selecting to share a data element included in the data unit with a firstexternal system; and selecting to prevent sharing of the data elementwith a second external system.
 4. The method of claim 1, comprising:obtaining a data unit including first and second PII data elements;selecting to share the first data element with an external system; andselecting to prevent sharing of the second data element with theexternal system.
 5. The method of claim 1, wherein a PII data elementincluded in the data unit includes at least one of: person-specificdata, asset-specific data, personal data, contact info, customerdemographics, financial info, purchase info, an opinion, a field ofinterest, a driving license, a social security number and an image. 6.The method of claim 1, comprising associating the policy with a set ofconnections.
 7. The method of claim 1, comprising automaticallymodifying the policy based on an event.
 8. The method of claim 1,comprising graphically presenting a map of flows of data elements. 9.The method of claim 1, comprising associating a data element with atoken and performing an action based on a token identified in the dataunit.
 10. The method of claim 1, comprising modifying a data element inthe data unit based on the policy.
 11. The method of claim 1, wherein adata element in the data unit includes un-structured data.
 12. Themethod of claim 1, comprising: obtaining a user profile, the userprofile including at least one rule related to at least one dataelement; associating the user profile with a set of network connections;and performing the at least one action based on a rule included in theuser profile.
 13. The method of claim 1, wherein rules included in thepolicy are related to at least one of: a request related to the PII dataelement, a response related to the PII data element, a source of arequest related to the PII data element, a method or system used foraccessing the PII data element, a time when the PII data element wasaccessed, a frequency of accessing the PII data element, a useraccessing the PII data element, an application accessing the PII dataelement, a storage system or location of the PII data element, a flowthat includes accessing the PII data element, and a pattern related toaccessing the PII data element.
 14. The method of claim 1, the methodcomprising: storing metadata related to a transaction, from a protectedsystem to an external system, of at least a portion a PII data elementincluded in the protected system; and presenting to a user a flow of PIIdata between the protected system and the external system based on themetadata.
 15. The method of claim 1, the method comprising: presentingto a user data include in a PII data unit obtained by the externalsystem; receiving from a user indication of restricted PII data; andpreventing the restricted PII data from being transferred to theexternal system.
 16. The method of claim 1, comprising: storing metadatarelated to a transaction, from the external system to a second externalsystem, of at least a portion the PII data element; and presenting to auser a flow of PII data across a plurality of external systems based onthe metadata.
 17. A system for managing sharing of personallyidentifiable information (PII) data units, the method comprising: amemory; and a controller configured to: associate a connection profilewith a network connection, the network connection enabling sharing ofPII data units between a protected system and an external system;intercept transmission of a PII data unit transmitted over the networkconnection; and based on data in the connection profile, perform atleast one action selected from the group consisting of: blockingtransmission of the data unit, modifying the data unit, forwarding atleast a portion of the data unit to a selected destination, storing thedata unit, storing metadata related to the data unit, and reporting anevent related to the data unit.
 18. The system of claim 17, wherein thecontroller is further configured to: obtain a data unit including a setof PII data elements; and based on the connection profile, select toperform the at least one action for at least one PII data elementincluded in the data unit.
 19. The system of claim 17, wherein thecontroller is further configured to: select to share a data elementincluded in the data unit with a first external system; and select toprevent sharing of the data element with a second external system. 20.The system of claim 17, wherein the controller is further configured to:obtain a data unit including first and second PII data elements; selectto share the first data element with an external system; and select toprevent sharing of the second data element with the external system.